There are many cases where users submit private data to remote servers. The organization operating the servers (the serving organization) may claim to protect the user's data in one way or another (for instance in a privacy statement). The users may not fully trust the organization operating the servers (the serving organization), and may wish to have some strong assurance from a trusted third party that the serving organization will honor its claim of protection. Today this is done in a weak fashion. For instance, the third party may examine the server software and provide a certification that the software faithfully executes the protection claim. However, the serving organization may easily modify its software afterwards and remove the claimed protections. There is a need for systems and methods that enforce trusted third party control over server software, so that the serving organization must be incapable of modifying its software without approval from the third party. Furthermore, users must have strong assurance that this enforced control exists before transmitting private data to the server.